CVE-2025-8088: Hackers Exploit WinRAR Zero-Day to Plant Stealthy Malware

Overview

A critical security vulnerability, tracked as CVE-2025-8088, has been identified in WinRAR versions 7.12 and earlier. The flaw allows attackers to embed malicious files within specially crafted RAR archives that, when extracted, can place harmful components into sensitive system locations. Successful exploitation may enable the execution of arbitrary code, persistence on the system, and unauthorized access to user data. Multiple cybersecurity reports confirm that Russian-linked threat groups, including RomCom and Paper Werewolf, are actively exploiting this vulnerability in targeted phishing campaigns disguised as job applications and resume.

Real-World Exploitation

Multiple sources confirm active exploitation:

• RomCom (aka Storm-0978): A Russian APT observed by BleepingComputer using resume-themed phishing emails with weaponized archives that deploy malware including Mythic Agent, SnipBot, and RustyClaw.

• Paper Werewolf (aka GOFFEE): Tracked by SOCRadar, this group allegedly acquired the exploit for $80,000 from Exploit.in prior to widespread deployment.

ESET analysts credit RomCom with leveraging this zero-day in their third documented campaign using unknown vulnerabilities, demonstrating continued operational maturity and stealth.

How the Exploit Works

This attack is very sneaky. At first glance, the archive seems to contain only a harmless file, such as a resume or application document. Hidden from the user’s view are extra items called alternate data streams (ADS). These can hold real malicious files or fake ones to confuse security checks.

When the victim extracts the archive:

• Harmful DLL files can be placed into the computer’s temporary or local application folders.

• Shortcut files (.lnk) can be placed into the Windows Startup folder so they will run automatically after a restart.

• The attackers use special path tricks with two dots (..) to force files into folders they are not supposed to reach.

• WinRAR will sometimes display warnings about invalid paths, but attackers hide the real danger in a long list of harmless-looking warning messages.

How the Malware Behaves After Infection

Once installed, the malicious files may:

• Stay hidden until the next computer restart, then activate automatically.

• Download more harmful programs from the internet.

• Steal sensitive data or give the attacker remote access to the victim’s system.

Mitigation Strategies

Security teams and end users should immediately take the following steps:

1. Patch Now: Update to WinRAR 7.13 manually. Previous versions are vulnerable, and auto-update is not available.

2. Block Suspicious Archives: Prevent users from opening unsolicited RAR files, especially from job applicants, as used by RomCom attackers.

3. Monitor and Scan: Perform forensic scans of Startup folders, %TEMP%, and %LOCALAPPDATA% for rogue DLLs or LNK files.

4. Log Path Traversals: Review extraction logs for irregularities or signs of path traversal attempts using ADS paths.

Conclusion

This case reinforces how everyday utilities like file archivers can become threat vectors when combined with clever exploitation techniques. With CVE-2025-8088 under active abuse, visibility, patching, and education are vital defences. As always, treat unexpected RAR attachments as potentially malicious until validated.

Resources

1. ESET – Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability. A deep dive into CVE-2025-8088 and RomCom’s exploitation tactics. Read the full article

2. The Hacker News – WinRAR Zero-Day Under Active Exploitation. Urgent advisory on the vulnerability and patch release. Read the full article

3. SOCRadar – CVE-2025-8088: WinRAR Zero-Day Exploited in Targeted Attacks. Overview of threat actors and campaign details. Read the full article

4. BleepingComputer – WinRAR zero-day exploited to plant malware on archive extraction. Technical breakdown of the phishing and payload delivery. Read the full article